xref: /aosp_15_r20/hardware/interfaces/identity/aidl/default/common/IdentityCredential.h (revision 4d7e907c777eeecc4c5bd7cf640a754fac206ff7) 
1*4d7e907cSAndroid Build Coastguard Worker /*
2*4d7e907cSAndroid Build Coastguard Worker  * Copyright 2019, The Android Open Source Project
3*4d7e907cSAndroid Build Coastguard Worker  *
4*4d7e907cSAndroid Build Coastguard Worker  * Licensed under the Apache License, Version 2.0 (the "License");
5*4d7e907cSAndroid Build Coastguard Worker  * you may not use this file except in compliance with the License.
6*4d7e907cSAndroid Build Coastguard Worker  * You may obtain a copy of the License at
7*4d7e907cSAndroid Build Coastguard Worker  *
8*4d7e907cSAndroid Build Coastguard Worker  *     http://www.apache.org/licenses/LICENSE-2.0
9*4d7e907cSAndroid Build Coastguard Worker  *
10*4d7e907cSAndroid Build Coastguard Worker  * Unless required by applicable law or agreed to in writing, software
11*4d7e907cSAndroid Build Coastguard Worker  * distributed under the License is distributed on an "AS IS" BASIS,
12*4d7e907cSAndroid Build Coastguard Worker  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*4d7e907cSAndroid Build Coastguard Worker  * See the License for the specific language governing permissions and
14*4d7e907cSAndroid Build Coastguard Worker  * limitations under the License.
15*4d7e907cSAndroid Build Coastguard Worker  */
16*4d7e907cSAndroid Build Coastguard Worker 
17*4d7e907cSAndroid Build Coastguard Worker #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
18*4d7e907cSAndroid Build Coastguard Worker #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
19*4d7e907cSAndroid Build Coastguard Worker 
20*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/identity/BnIdentityCredential.h>
21*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/VerificationToken.h>
23*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/support/IdentityCredentialSupport.h>
24*4d7e907cSAndroid Build Coastguard Worker 
25*4d7e907cSAndroid Build Coastguard Worker #include <map>
26*4d7e907cSAndroid Build Coastguard Worker #include <set>
27*4d7e907cSAndroid Build Coastguard Worker #include <string>
28*4d7e907cSAndroid Build Coastguard Worker #include <vector>
29*4d7e907cSAndroid Build Coastguard Worker 
30*4d7e907cSAndroid Build Coastguard Worker #include <cppbor.h>
31*4d7e907cSAndroid Build Coastguard Worker 
32*4d7e907cSAndroid Build Coastguard Worker #include "IdentityCredentialStore.h"
33*4d7e907cSAndroid Build Coastguard Worker #include "PresentationSession.h"
34*4d7e907cSAndroid Build Coastguard Worker #include "SecureHardwareProxy.h"
35*4d7e907cSAndroid Build Coastguard Worker 
36*4d7e907cSAndroid Build Coastguard Worker namespace aidl::android::hardware::identity {
37*4d7e907cSAndroid Build Coastguard Worker 
38*4d7e907cSAndroid Build Coastguard Worker using ::aidl::android::hardware::keymaster::HardwareAuthToken;
39*4d7e907cSAndroid Build Coastguard Worker using ::aidl::android::hardware::keymaster::VerificationToken;
40*4d7e907cSAndroid Build Coastguard Worker using ::android::sp;
41*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::identity::SecureHardwarePresentationProxy;
42*4d7e907cSAndroid Build Coastguard Worker using ::std::map;
43*4d7e907cSAndroid Build Coastguard Worker using ::std::set;
44*4d7e907cSAndroid Build Coastguard Worker using ::std::string;
45*4d7e907cSAndroid Build Coastguard Worker using ::std::vector;
46*4d7e907cSAndroid Build Coastguard Worker 
47*4d7e907cSAndroid Build Coastguard Worker class IdentityCredential : public BnIdentityCredential {
48*4d7e907cSAndroid Build Coastguard Worker   public:
IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,const vector<uint8_t> & credentialData,std::shared_ptr<PresentationSession> session,HardwareInformation hardwareInformation)49*4d7e907cSAndroid Build Coastguard Worker     IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,
50*4d7e907cSAndroid Build Coastguard Worker                        const vector<uint8_t>& credentialData,
51*4d7e907cSAndroid Build Coastguard Worker                        std::shared_ptr<PresentationSession> session,
52*4d7e907cSAndroid Build Coastguard Worker                        HardwareInformation hardwareInformation)
53*4d7e907cSAndroid Build Coastguard Worker         : hwProxyFactory_(hwProxyFactory),
54*4d7e907cSAndroid Build Coastguard Worker           credentialData_(credentialData),
55*4d7e907cSAndroid Build Coastguard Worker           session_(std::move(session)),
56*4d7e907cSAndroid Build Coastguard Worker           numStartRetrievalCalls_(0),
57*4d7e907cSAndroid Build Coastguard Worker           hardwareInformation_(std::move(hardwareInformation)),
58*4d7e907cSAndroid Build Coastguard Worker           expectedDeviceNameSpacesSize_(0) {}
59*4d7e907cSAndroid Build Coastguard Worker 
60*4d7e907cSAndroid Build Coastguard Worker     // Parses and decrypts credentialData_, return a status code from
61*4d7e907cSAndroid Build Coastguard Worker     // IIdentityCredentialStore. Must be called right after construction.
62*4d7e907cSAndroid Build Coastguard Worker     int initialize();
63*4d7e907cSAndroid Build Coastguard Worker 
64*4d7e907cSAndroid Build Coastguard Worker     // Methods from IIdentityCredential follow.
65*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus deleteCredential(vector<uint8_t>* outProofOfDeletionSignature) override;
66*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus deleteCredentialWithChallenge(
67*4d7e907cSAndroid Build Coastguard Worker             const vector<uint8_t>& challenge,
68*4d7e907cSAndroid Build Coastguard Worker             vector<uint8_t>* outProofOfDeletionSignature) override;
69*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus proveOwnership(const vector<uint8_t>& challenge,
70*4d7e907cSAndroid Build Coastguard Worker                                       vector<uint8_t>* outProofOfOwnershipSignature) override;
71*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus createEphemeralKeyPair(vector<uint8_t>* outKeyPair) override;
72*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override;
73*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override;
74*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus setRequestedNamespaces(
75*4d7e907cSAndroid Build Coastguard Worker             const vector<RequestNamespace>& requestNamespaces) override;
76*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus setVerificationToken(const VerificationToken& verificationToken) override;
77*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus startRetrieval(
78*4d7e907cSAndroid Build Coastguard Worker             const vector<SecureAccessControlProfile>& accessControlProfiles,
79*4d7e907cSAndroid Build Coastguard Worker             const HardwareAuthToken& authToken, const vector<uint8_t>& itemsRequest,
80*4d7e907cSAndroid Build Coastguard Worker             const vector<uint8_t>& signingKeyBlob, const vector<uint8_t>& sessionTranscript,
81*4d7e907cSAndroid Build Coastguard Worker             const vector<uint8_t>& readerSignature, const vector<int32_t>& requestCounts) override;
82*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus startRetrieveEntryValue(
83*4d7e907cSAndroid Build Coastguard Worker             const string& nameSpace, const string& name, int32_t entrySize,
84*4d7e907cSAndroid Build Coastguard Worker             const vector<int32_t>& accessControlProfileIds) override;
85*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus retrieveEntryValue(const vector<uint8_t>& encryptedContent,
86*4d7e907cSAndroid Build Coastguard Worker                                           vector<uint8_t>* outContent) override;
87*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus finishRetrieval(vector<uint8_t>* outMac,
88*4d7e907cSAndroid Build Coastguard Worker                                        vector<uint8_t>* outDeviceNameSpaces) override;
89*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus generateSigningKeyPair(vector<uint8_t>* outSigningKeyBlob,
90*4d7e907cSAndroid Build Coastguard Worker                                               Certificate* outSigningKeyCertificate) override;
91*4d7e907cSAndroid Build Coastguard Worker 
92*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus updateCredential(
93*4d7e907cSAndroid Build Coastguard Worker             shared_ptr<IWritableIdentityCredential>* outWritableCredential) override;
94*4d7e907cSAndroid Build Coastguard Worker 
95*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus finishRetrievalWithSignature(vector<uint8_t>* outMac,
96*4d7e907cSAndroid Build Coastguard Worker                                                     vector<uint8_t>* outDeviceNameSpaces,
97*4d7e907cSAndroid Build Coastguard Worker                                                     vector<uint8_t>* outEcdsaSignature) override;
98*4d7e907cSAndroid Build Coastguard Worker 
99*4d7e907cSAndroid Build Coastguard Worker   private:
100*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus deleteCredentialCommon(const vector<uint8_t>& challenge,
101*4d7e907cSAndroid Build Coastguard Worker                                               bool includeChallenge,
102*4d7e907cSAndroid Build Coastguard Worker                                               vector<uint8_t>* outProofOfDeletionSignature);
103*4d7e907cSAndroid Build Coastguard Worker 
104*4d7e907cSAndroid Build Coastguard Worker     // Creates and initializes hwProxy_.
105*4d7e907cSAndroid Build Coastguard Worker     ndk::ScopedAStatus ensureHwProxy();
106*4d7e907cSAndroid Build Coastguard Worker 
107*4d7e907cSAndroid Build Coastguard Worker     // Set by constructor
108*4d7e907cSAndroid Build Coastguard Worker     sp<SecureHardwareProxyFactory> hwProxyFactory_;
109*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> credentialData_;
110*4d7e907cSAndroid Build Coastguard Worker     shared_ptr<PresentationSession> session_;
111*4d7e907cSAndroid Build Coastguard Worker     int numStartRetrievalCalls_;
112*4d7e907cSAndroid Build Coastguard Worker     HardwareInformation hardwareInformation_;
113*4d7e907cSAndroid Build Coastguard Worker 
114*4d7e907cSAndroid Build Coastguard Worker     // Set by initialize()
115*4d7e907cSAndroid Build Coastguard Worker     string docType_;
116*4d7e907cSAndroid Build Coastguard Worker     bool testCredential_;
117*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> encryptedCredentialKeys_;
118*4d7e907cSAndroid Build Coastguard Worker 
119*4d7e907cSAndroid Build Coastguard Worker     // Set by ensureHwProxy()
120*4d7e907cSAndroid Build Coastguard Worker     sp<SecureHardwarePresentationProxy> hwProxy_;
121*4d7e907cSAndroid Build Coastguard Worker 
122*4d7e907cSAndroid Build Coastguard Worker     // Set by createEphemeralKeyPair()
123*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> ephemeralPublicKey_;
124*4d7e907cSAndroid Build Coastguard Worker 
125*4d7e907cSAndroid Build Coastguard Worker     // Set by setReaderEphemeralPublicKey()
126*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> readerPublicKey_;
127*4d7e907cSAndroid Build Coastguard Worker 
128*4d7e907cSAndroid Build Coastguard Worker     // Set by setRequestedNamespaces()
129*4d7e907cSAndroid Build Coastguard Worker     vector<RequestNamespace> requestNamespaces_;
130*4d7e907cSAndroid Build Coastguard Worker 
131*4d7e907cSAndroid Build Coastguard Worker     // Set by setVerificationToken().
132*4d7e907cSAndroid Build Coastguard Worker     VerificationToken verificationToken_;
133*4d7e907cSAndroid Build Coastguard Worker 
134*4d7e907cSAndroid Build Coastguard Worker     // Set at startRetrieval() time.
135*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> signingKeyBlob_;
136*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> sessionTranscript_;
137*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> itemsRequest_;
138*4d7e907cSAndroid Build Coastguard Worker     vector<int32_t> requestCountsRemaining_;
139*4d7e907cSAndroid Build Coastguard Worker     map<string, set<string>> requestedNameSpacesAndNames_;
140*4d7e907cSAndroid Build Coastguard Worker     cppbor::Map deviceNameSpacesMap_;
141*4d7e907cSAndroid Build Coastguard Worker     cppbor::Map currentNameSpaceDeviceNameSpacesMap_;
142*4d7e907cSAndroid Build Coastguard Worker 
143*4d7e907cSAndroid Build Coastguard Worker     // Calculated at startRetrieval() time.
144*4d7e907cSAndroid Build Coastguard Worker     size_t expectedDeviceNameSpacesSize_;
145*4d7e907cSAndroid Build Coastguard Worker     vector<unsigned int> expectedNumEntriesPerNamespace_;
146*4d7e907cSAndroid Build Coastguard Worker 
147*4d7e907cSAndroid Build Coastguard Worker     // Set at startRetrieveEntryValue() time.
148*4d7e907cSAndroid Build Coastguard Worker     string currentNameSpace_;
149*4d7e907cSAndroid Build Coastguard Worker     string currentName_;
150*4d7e907cSAndroid Build Coastguard Worker     vector<int32_t> currentAccessControlProfileIds_;
151*4d7e907cSAndroid Build Coastguard Worker     size_t entryRemainingBytes_;
152*4d7e907cSAndroid Build Coastguard Worker     vector<uint8_t> entryValue_;
153*4d7e907cSAndroid Build Coastguard Worker 
154*4d7e907cSAndroid Build Coastguard Worker     void calcDeviceNameSpacesSize(uint32_t accessControlProfileMask);
155*4d7e907cSAndroid Build Coastguard Worker };
156*4d7e907cSAndroid Build Coastguard Worker 
157*4d7e907cSAndroid Build Coastguard Worker }  // namespace aidl::android::hardware::identity
158*4d7e907cSAndroid Build Coastguard Worker 
159*4d7e907cSAndroid Build Coastguard Worker #endif  // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
160